DET0355: Detection Strategy for Email Bombing
DET0355 is an ATT&CK detection strategy mapped to Email Bombing, an impact technique where a targeted mailbox is overwhelmed with large volumes of messages...
Analyst context for executives and security teams
DET0355 is an ATT&CK detection strategy mapped to Email Bombing, an impact technique where a targeted mailbox is overwhelmed with large volumes of messages. The practical risk is not just inbox nuisance: legitimate business, security, legal, financial, or incident-response communications can be buried at the moment teams need them most.
Executive priority
Security leaders should treat email bombing as an operational resilience and response-readiness issue. The key decision is whether the organization can distinguish abnormal email floods from normal marketing, notification, or business spikes quickly enough to protect critical users and preserve visibility into important messages. This is relevant to SOC readiness, executive protection, help desk continuity, and audit evidence showing that email disruption scenarios are monitored and triaged.
Technical view
The supplied ATT&CK object does not provide official detection logic, but it detects T1667 Email Bombing, which is categorized under the impact tactic and related to Linux, Office Suite, Windows, and macOS environments. SOC and detection teams should validate whether email-security, mail-server, and identity/mailbox telemetry can identify sudden high-volume inbound message patterns to a targeted address, especially when messages originate from many senders or subscription/list sources. IR teams should confirm escalation paths for recovering buried legitimate communications and identifying affected users or business processes.
Likely telemetry
- Email gateway or secure email platform logs showing inbound message volume by recipient, sender, domain, subject, and time window
- Mail server or Office Suite mailbox audit/logging data for delivery rates, quarantine actions, rules, and mailbox saturation indicators
- Help desk or user reports of sudden inbox flooding or inability to find legitimate business messages
- Spam, bulk-mail, and mailing-list classification events
- Authentication or account telemetry where mailbox access, forwarding, or rule changes are reviewed during triage
Detection direction
- Baseline normal inbound email volume per user, role, shared mailbox, and business function, then alert on unusual recipient-focused spikes.
- Tune detections to reduce false positives from legitimate campaigns, newsletters, system notifications, product launches, or incident communications.
- Prioritize monitoring for executives, finance, legal, support queues, security operations, and other mailboxes where buried messages could disrupt decisions or response.
- Correlate email-volume anomalies with user reports and mailbox control changes, but avoid assuming compromise solely from message volume.
- Account for the ATT&CK limitation: DET0355 has no supplied official detection text, so local detection engineering must define thresholds and evidence requirements.
Mitigation priorities
- Confirm email filtering, bulk-mail handling, and rate-limiting controls are configured for high-volume recipient-focused floods.
- Define an operational playbook for preserving access to legitimate messages during an email flood, including alternate communication paths for critical teams.
- Protect high-value and shared mailboxes with stronger monitoring and documented escalation procedures.
- Use mailbox and email-security logs as compliance and resilience evidence showing that disruptive email events can be investigated.
- Review lessons learned after events or tests to adjust baselines, exception lists, and SOC triage criteria.
Analyst notes and limits
This take is based on ATT&CK detection strategy DET0355 and its relationship to T1667 Email Bombing. Because the detection strategy has no official description or detection content, recommendations focus on defensible validation questions and telemetry classes implied by the related technique’s behavior.
No active exploitation, attribution, specific tooling, vendor control, or guaranteed detection coverage is stated in the supplied ATT&CK fields. Platforms are not specified on DET0355 itself; platform context comes only from the related Email Bombing technique.
Detection Strategy for Email Bombing
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1667 | Email Bombing | This object detects Email Bombing. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | caedec9be590… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0355Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.